Krebs on Security

In-depth security news and investigation

We Take Your Privacy and Security. Seriously.

“Please note that [COMPANY NAME] takes the security of your personal data very seriously.” If you’ve been on the Internet for any length of time, chances are very good that you’ve received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, “It’s not you, it’s me.”

I was reminded of the sheer emptiness of this corporate breach-speak approximately two weeks ago, after receiving a snail mail letter from my Internet service provider — Cox Communications. In its letter, the company explained:

“On or about Aug. 13, 2014, “we learned that one of our customer service representatives had her account credentials compromised by an unknown individual. This incident allowed the unauthorized person to view personal information associated with a small number of Cox accounts. The information which could have been viewed included your name, address, email address, your Secret Question/Answer, PIN and in some cases, the last four digits only of your Social Security number or drivers’ license number.”

The letter ended with the textbook offer of free credit monitoring services (through Experian, no less), and the obligatory “Please note that Cox takes the security of your personal data very seriously.” But I wondered how seriously they really take it. So, I called the number on the back of the letter, and was directed to Stephen Boggs, director of public affairs at Cox.

Boggs said that the trouble started after a female customer account representative was “socially engineered” or tricked into giving away her account credentials to a caller posing as a Cox tech support staffer. Boggs informed me that I was one of just 52 customers whose information the attacker(s) looked up after hijacking the customer service rep’s account.

The nature of the attack described by Boggs suggested two things: 1) That the login page that Cox employees use to access customer information is available on the larger Internet (i.e., it is not an internal-only application); and that 2) the customer support representative was able to access that public portal with nothing more than a username and a password.

Boggs either did not want to answer or did not know the answer to my main question: Were Cox customer support employees required to use multi-factor or two-factor authentication to access their accounts? Boggs promised to call back with an definitive response. To Cox’s credit, he did call back a few hours later, and confirmed my suspicions.

“We do use multifactor authentication in various cases,” Boggs said. “However, in this situation there was not two-factor authentication. We are taking steps based on our investigation to close this gap, as well as to conduct re-training of our customer service representatives to close that loop as well.”

This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.

Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.

This entry was posted on Monday, September 29th, 2014 at 4:14 pm and is filed under Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Let’s be reasonable. “Customer service” phone bank jobs are poorly paid, and I suspect it’s hard to get the attention and understanding of trainees focused on IT security and guarding against social engineering, which are concepts that elude many much higher-paid people in corporate and government management jobs.

Given the consumer revolt against automated phone systems a decade or so ago, you have to assume that a living, breathing customer service agent is there primarily to make you feel as though you’re being listened to. No large firm wants to pay people in such positions, who tend not to stay very long, enough to merit their enthusiasm or attention to detail. Cable companies tend to be the worst, presumably because they need the largest armies of people whose English can be understood by the consumers. I remember with fondness the days when Comcast had a direct tech support line; calling it on the graveyard shift guaranteed a swift connection with a knowledgeable wire head who preferred working late at night to dealing with the cluelessness of most non-wirehead customers. That number, of course, was disconnected, and when I left the clutches of Comcast, a customer seeking tech support had to go through customer “support” and get the call escalated before a tech support person was put on the case.

I’ve always figured the “take your privacy and security seriously” line was first circulated as a joke, but I’ve now got a collection of letters with that line, from credit card companies and a software company so far. If it’s a joke, it’s only on the consumer. The exception may be the card issuers, who stand to lose money if they let fraud continue undetected.

I’d think that any system where the good of the many outweighs the good of the few would do better. Specifically, a system where the quality of a solution is judged by how well it serves the needs of society v/s how well it lines the pockets of the implementers would theoretically value effective information security over “sorry, our bare-bones budget would be exceeded if we implemented effective security.”

I agree with you that until these company’s and all company’s that collect personal information be it email addresses, phone numbers, etc. are forced to have security controls in place they will address it at the time of the incident. We already see that reputational risk has not been a major incentive to protect information, but more of a inconvenience and cost of doing business. The CFPB needs to expand their territory to more than just financial institutions.

Sorry Brian, I really appreciate your reporting but in this case I think the gender is irrelevant, distracting, makes the sentence awkward to read, and can reasonably be misinterpreted as having some significance to the event.

First, think of all the times in the news that women are numbered and men are anonymized as “workers.” If women are hurt, it is treated as more special than if men are hurt. (This is the weird, tiny intersection of feminism and chivalry.) Perhaps by accident, it is now standard to mention a “female employee” rather than just an employee, and that has carried over to where a particular woman is at fault and not an injured victim at the coal plant. As the first comment said, who in this day doesn’t know that you don’t give your password over the phone. I would add “or to a stranger, and certainly not a stranger on the phone!” In some very small companies, the IT staff will occasionally need a password, but they aren’t strangers.

On a separate note…
It is well known that women are more geared toward “go-along-to-get-along” than men. That’s “more geared,” which means that beyond a certain threshold, there are more women than men there, and thus more women fall for social engineering. The communists understood this and use feminism to undermine the thinking in society. Perhaps the Cox employee’s unconscious understanding of this gender trend came out. For a much more clear explanation of these gender trends, check out Dean Gotcher’s lectures on “Diaprax.” Watch the 4-part series with the white trellis behind him. It’s better than the other versions on YouTube. Gender trends are not evil. They’re just who we are and are good to understand. For example, men’s eyes and brains are more geared toward forward sight, and can thus judge distances better than women, while women’s brains are more geared toward peripheral vision, allowing them to keep a different type of cognitive map and track landmarks better. Women’s social priorities can create fake peace, going along to get along (and it’s a spectacle when it breaks down) more than men. Thus, socially engineering men may require a different tact. I wouldn’t worry that the man being interviewed said that it was a female employee. I’m almost numb to “female employee” because I hear it positively and negatively. What is destroying workplaces and society is the combination of Peter Drucker’s managment systems (directly from Fascism) and Feminism. That’s not femininity, female qualities, but Feminism, an oppressive political movement. If you study Feminism far enough and then think about it, it actually insists on either removing freedoms or adding burdens for women by insisting that women live according to a certain “UberFrau” standard.

Personally, I’ve been blessed over the years to work in places, though not all, where my female co-workers retain their femininity, allow me to be masculine (that’s rare!), and have no interest in Feminism. So he said it was a female employee. So what. As someone else noted, would you have cared if he said it was a male employee instead of just an employee?

1. Personally, I find it equally offensive when women are “numbered” as you put it and the men are not called out for their gender. Because some things just have nothing to do with gender, and this is one of them. I’m not sure what men being victims of anonymization more than women has to do with this article at all. Yes, it happens. But it’s a separate issue.

2. Nothing about this article is making a point about the susceptibility of certain genders to social engineering. If this was a direct quote from Boggs I would have said nothing, although I wouldn’t have agreed with him saying it either. But it’s not a direct quote, and it makes it seem like this article is implying the worker screwed up *because* she is female. Silly females, can hardly trust them to work in technical roles, am I right?

Personally, I think the fact that you feel that women should not be interested in their own rights and should adhere to your own idea of “femininity” is pretty disgusting. And yes, it would have been weird if the article had mentioned that a “male customer service representative” had given away his account information.

Thank you Savanna, after years of working in tech, it is something between tiresome and amusing to read Mike’s little screed on ‘Feminism’ and femininity – on a side note, how come we who don’t bear the burden of being attached to a dick still get smaller paychecks?

Agreed. It’s not the point of the article, and I realize there is plenty of other stuff in there to “take out of it” but it sticks out because it’s just so unnecessary and sounds like he is calling out the female gender for being technically inept. It wouldn’t stick out if females weren’t so often stereotyped as being just that.

Actually, the gender of the customer service representative was first introduced into the discussion via the form letter Brian received from Cox Communications — i.e., the third paragraph of this article.

“On or about Aug. 13, 2014, we learned that one of our customer service representatives had her account credentials compromised by an unknown individual . . .”

Because, as a male, the majority of attempts at “socially engineering” aimed at me are porn/dating/greed based, not relationship based. As a sysadmin who deals with these attempts aimed at other dudes, I see the same pattern.

None of those could get MY credentials, because none of them are what I am looking for. But I see dudes snared by porn and greed frequently. If that was the case in this report, then it would have been appropriate to say it was a “male employee” who got scammed.

Trying to be offended because the very accurate and meaningful gender identification is ludicrous. Some dude (we assume) used HER gender against her, and got the info. Trying to downplay that reality only shows a lack of understanding — something the cyber-criminals are not afraid to use against us.

Perhaps Brian is simply reporting the facts from the letter he received, “…one of our customer service representatives had her account credentials compromised…” and then what Boggs had told him.
Gee whiz Brian, please stop reporting the facts you’ve been given by your sources. It’s not like he was dwelling on it, “and so this chick CSR…”

While the gender of the CSR isn’t relevant to the critical point of the article, the fact that the Cox communication revealed the fact provides a reasonable explanation as to why Brian K reported it as such. Some people knit and some people pick at the nits and this is one of the latter cases.

Please note that [COMPANY NAME] takes the security of your personal data very seriously. It is used way too often and then followed by a offer of a free level of protection in freezing your credit records. But then you realized it may cost you $9.95/month for basic protection up to $29.99 a month for “better” protection.

Multi-factor is generally requiring the user to input something in addition to a username and password, such as a one-time code outputted from a mobile app, or via text message.

In my opinion, true two-factor authentication uses a second factor that is not in the same “band” as the first. In other words, if the user name and password are accepted via the browser, the second factor should be delivered to the user and served to the login page via a completely separate avenue, such a mobile phone app. Full disclosure: Duo Security, which has probably the best approach I’ve seen on this front, is an advertiser on this blog.

Both approaches are designed so that if the user has their credentials stolen, the attacker still needs that second factor (in most cases, the user’s phone) to log in. However, if the credentials were stolen because of a bot on the victim’s machine, then having a second factor that you merely enter into the browser is not going to help, because the attackers can control what you see in your browser, hence they can intercept the one-time token. This site features many, many stories about this type of multi-factor being defeated in exactly this way. This is where the true two-factor approach really shines.

What good reason is there for a cable company to have the last four digits of customers’ SSNs or drivers license numbers? That info is far too sensitive to be necessary for most companies. My gas company requires the SSN last four. It would be appalling if they collect this information to sell it, and if that’s not what they’re doing, it’s just lazy and reckless.

Brian,
Thanks for the great article! On Sept. 30 I received a message from Register.com, pasted below. I changed my password and the funny thing is that still, the system accepted my new password of only 6 (not 8) characters (an upper case letter, a lower case letter, a number), without a special character.

Important! Account Manager Password Change
We have recently identified malicious activity affecting a limited number of customers. Your account has been identified as possibly vulnerable to malicious cyber-attacks, due to a weak password. As your provider, Register.com is committed to maintaining the highest possible security for your services. In order to proactively protect your account against these kinds of issues, we are requiring a password change to further strengthen your Register.com account security. Please take a few minutes now to make this change, so you can protect your Register.com account.

Find the drop down menu next to the text “Log in to:” and make sure you select “Account Manager.”
Click on “Forgot your password” link under the Password box.
Enter your User Name or domain and click Continue.
Next you can either answer the security question or request to have the a link sent to you.
You will need to check your email for a message sent that will include a link to walk you through the password change process.
Once you have changed your password, you will see a confirmation message on the screen.
Password must be 8-20 characters and must contain all of the following: an upper case letter, a lower case letter, a number and a special character (!@#$%^&*).

If you have any questions, please do not hesitate to contact us. If you have trouble setting your new password, please contact one of our customer service agents at (877)731-4441 (within the US) or (902)749-5918 (outside of the US and Canada). Agents are available 24/7 to assist you.

We appreciate your cooperation in this effort to improve security for you, and we apologize for any inconvenience this may cause.

This looks like a phish message, designed to capture your existing password. Hopefully, you keyed in the link and didn’t just click on it. If you clicked on the link and entered your existing password, then your account may have been compromised.

The sad part is that companies send phish-like messages that are actually legitimate. Recently, I even got one from a security company! These do two things: Provide a sample for the scammers to use and make it harder for security professionals to educate users to not respond to phish messages.

Keep in mind, getting your register.com password is not going to do much damage by itself. But have you used that same password elsewhere? If so, you need to sign on to each of those accounts and change your password. If you can’t sign on, then there’s a good chance that the scammer beat you to it and changed it themselves.

Back in 2007 in the UK, the HM customs office lost a CD with personal information on 15,000 people.

They decided to follow this up with a set of CDs containing Full Name, address, National Insurance Number, Date of Birth, Partner’s details, Names Sex and age of children, Bank/savings account details of around 25 million people.

The recipient didn’t even need or want some of that information but it was quicker and cheaper to just dump the database to CD, and lets not bother to waste time using any proper encryption.

What was the statement they put on the press release?

“HMRC take the security of customer information very seriously.”

Ironic, as after the first breach they also said:

‘We have also reviewed our arrangements and introduced safeguards to prevent this happening in future’

Oh, please. The world is coming to an end and the hackers have begun the battle of the 21st century; the keyboard is the weapon. There is no place for arguments about gender in these critical discussions.
You have more key things to be doing, such as following Brian’s awesome knowledge and guidance and doing as much as you can to protect your information and strike a blow against these creatures as much as you can.

Does anyone know how to contact Cox and determine if their account was also compromised? I also live in Fairfax County and contacted support, and the response from their office included:
“Unfortunately we cannot verify from our end if any of your user Id’s was compromised unless you report us that you are having issues with any of your user ID’s.”

at this point, i wonder who isn’t compromised, seems to me that the russian business network, or the chinese, can just collect all the personal data, then, when the time comes, like the south china sea or ukraine, it’s their trump card to play, that and whatever happened at things like JPMorgan

Another “big name” company that doesn’t take your security very seriously is KLM, the Royal Dutch Airlines. If you sign up for a “Flying Blue” frequent flyer account, you get to choose as your password… a 6-digit PIN code! And the site even suggests you to use 4 digits only…